- Low (?)
- Versions Affected:
- 3.0.8, 3.1.2 and all earlier versions
- Versions Fixed:
- Release Date:
While there is no known vector to exploit this without a valid CMS login, the core team feels its safest to whitelist the tags allowed in the ExtraMeta property, defaulting to <link> and <meta> only. This means existing projects with page-specific <script> tags will need to have these tags moved into SilverStripe templates. Alternatively, you can add a new HTMLText $db property in your Page class definition (suggested name: $HeaderScripts).
This whitelist will not apply to existing data in the SiteTree.ExtraMeta column on existing pages. In order to ensure no exploit has already been persisted, and check if you need to move <script> tags to templates, we suggest you search this column in your project database:
SELECT * FROM "SiteTree" WHERE "SiteTree"."ExtraMeta" LIKE '%<script%'
SELECT * FROM "SiteTree_Live" WHERE "SiteTree"."ExtraMeta" LIKE '%<script%'
Thanks to Daniel Hensby for reporting.